The new methods are designed to disrupt the structure of a URL, allowing it to bypass security scanners and email filters
A new report from cybersecurity firm Barracuda has revealed that the creators of a widely used “phishing-as-a-service” kit are employing increasingly sophisticated techniques to outsmart security systems and lure victims. The findings show how the Tycoon kit is using a variety of clever tricks to obscure malicious links, making them difficult for both automated defence software and human users to detect.
The new methods are designed to disrupt the structure of a URL, allowing it to bypass security scanners and email filters. Among the techniques highlighted in the report are:
Invisible Characters: Malicious links are being embedded with invisible spaces, special Unicode symbols that look like common characters, or hidden email addresses, all of which confuse security tools trying to verify the web address.
Split Hyperlinks: In some attacks, only a benign portion of a URL is hyperlinked, while the malicious part is left as plain text. This tricks security tools into ignoring the dangerous part of the link, assuming it is inert.
The Reputable Ruse: Attackers are exploiting a feature of web browsers by inserting the @ symbol into a link. Everything before the @ is treated as user information, allowing them to place a trustworthy-looking name, such as “office365,” to create a false sense of security. The true, malicious destination of the link is only revealed after the symbol.
Symbolic Disguise: The report also notes the use of unusual symbols like backslashes (\) or dollar signs ($) in URLs. These characters are not typically found in legitimate web addresses and are used to intentionally disrupt how security tools read the link, allowing the toxic URL to slip through unnoticed.
“Security tools are increasingly effective at spotting and blocking malicious links in phishing emails, and this is driving attackers to continuously invent new and more sophisticated ways to disguise such links,” said Saravanan Mohankumar, Manager of the Threat Analysis team at Barracuda.
As email-borne threats continue to evolve, cybersecurity professionals are urging for a multi-layered defence. The report suggests that a combination of AI and machine-learning solutions, both at the email gateway and after delivery, can provide robust protection. However, as with all phishing threats, these technical measures must be paired with ongoing security awareness training to help employees spot and report new and emerging scams.